Cybersecurity is one of the fastest growing fields in technology. There are 3.5 million unfilled jobs predicted by the end of 2021, there's been a 0% unemployment rate since 2011, and spending reached $123 billion in 2020.
Whether you are a fresh graduate or are looking to make a shift in careers and nab one of those jobs, knowing how to best position yourself in an interview can give you the edge.
I've been working in cybersecurity for over 10 years, and majored in Business Information Systems and Classical Languages & Literatures (I hated math so Computer Science as a major was out). You don't need an academic background in computer science to get your start in cybersecurity, you just need to be curious and learn.
Below are 10 tips I've put together to help guide you in preparing for your first or next cybersecurity role.
0. Apply for the Job
Forget the qualifications listed on the job posting (well, maybe not completely). Does the job seem interesting? Would you like to work at the company? Do you have some of the criteria? Then apply!
Too often, I've seen very qualified individuals not apply for jobs because they felt that they wouldn't meet every single criteria listed. But if you think you can meet some of the requirements, then apply and at least have a dialogue.
Often hiring managers end up throwing every requirement they can think of on the job description, rather than the minimum needed for the role. And forget the degree requirements completely - some of the largest companies in the world don't require degrees anymore.
1. Get Involved in the Cybersecurity Community
Join local meetup groups, or participate in Capture the Flag competitions, such as those hosted by the National Cyber League. These events are open to beginners and experienced people alike, and help demonstrate your passion and commitment to cybersecurity growth.
I often instruct our recruiters to highlight any résumés they come across where they see the candidate participated in cybersecurity events.
In every interview I conduct, I always ask how the candidate keeps up to date with cybersecurity - this is a great time to talk about your reading list, projects, and the events and groups you are part of.
2. Do Your Research
One area where I see candidates stand out from the pack is when they demonstrate they have researched my company, and the industry my company is in.
Every candidate should be prepared to answer "What threats do you see against my firm, and what advice would you give leadership to mitigate these threats?". Even better, if you know the name of your interviewer prior to the interview, spend some time researching them on LinkedIn to get a sense of their background.
One of the best interviews I conducted was with a candidate who actually performed some reconnaissance on my company prior to the interview. They looked up my company's information on Shodan, Google, and other avenues to get a sense of potential exposure and an understanding of our public presence.
Note: Please do not try to actively scan the company's infrastructure and report vulnerabilities during your interview. This type of activity is in the grey area of legality at best, and likely won't endear you to the interviewer.
3. Keep Up with Current Events
Any candidate I interview should be able to tell me basic information about the latest trends in cybersecurity. This includes being able to discuss what "WannaCry" is, thoughts on recent breaches (such as the recent SolarWinds attack), and suggestions on how to prevent, contain, respond to, and recover from ransomware.
Depending on the seniority, I may not expect detailed technical information, but a cursory understanding is required.
4. Presentation is Important
While it can be tedious, you should make sure to tailor your résumé and cover letter to call out areas of interest that are in line with the job posting.
Tailor your résumé to the job you are applying for - don't add in a laundry list of unnecessary information.
The first part of the résumé, aside from your name and contact information, should be a brief introductory paragraph that really sells you to me. Explain what you bring to the table - this section helps separate you from the other résumés that just list work experience without giving context.
List the most current position you have, and work your way back. Be prepared to discuss any major noticeable gaps in employment.
If you've been in the professional arena for quite some time, you don't need to list every single career - 10-15 years is a good range to display. No one wants to read a ten page résumé - so make sure that every bullet point is relevant.
Avoid acronyms where possible, and try to provide at least three bullet points for every job listed on the résumé. Make sure these bullets list out your accomplishments, and where possible provide hard numbers rather than vague text. For example, "Achieved 60% cost savings" sounds better than "Saved money".
A note on grammar: Use present tense for the job you are working in, and past tense for all prior roles. Also, please use grammar and spell-check in your word processing program. A poorly written résumé often gets rejected before it is even sent to the hiring manager.
Professional memberships, publications, speaking engagements, and certifications
If applicable, use this section to list out any boards, communities, or professional organizations you belong to, as well as your membership (for example, member, director, founder, and so on.).
This helps show the hiring manager your involvement in the community outside of your day to day employment and in general makes you a more attractive candidate.
Feel free to add in relevant or interesting memberships outside of cybersecurity groups - such as a troop leader for the Girl Scouts or board member of a non-profit. If your publication or speaking engagement is available online, include links to the content.
Last, list out your certifications, including the issuing body and when you achieved the certification.
Be careful with this section. It's tempting to list every single technical term under the sun here, but you should focus on the skills that you feel will make you an asset for the role you are applying to.
My biggest pet peeve in this section is when candidates put down "generic fluff" such as "OSI model", "TCP", "IP", "SSH", "Windows operating system", "Mac operating system", or even just a list of security tools.
When a hiring manager sees a technical skills section that only lists security tools, their first though is usually "Can this candidate perform if they did not have access to these tools?"
Caution: If you list a skill on your résumé, be prepared to discuss it. I learned this myself in one interview where I was asked a series of very technical questions about the Python language simply because I put it on my résumé.
5. Develop Your Hard Skills
While not required for many roles, I do pay attention to résumés that indicate that the candidate has some form of development or coding experience.
If you don't have formal development experience, but you can do some basic coding (all of my coding pretty much involves having StackOverflow open in a browser window), you should absolutely put that on your résumé.
If you have contributed to any open source projects, or worked on code yourself, make sure that is highlighted on your resume as well - this is something I try to look for on résumés. Sites like freeCodeCamp, CodeBashing, and LeetCode can help provide a solid scripting and coding foundation.
Understanding how a system works is fundamental to being able to efficiently protect it. Based on the role you are applying for, ensure you can speak at about relevant technologies, with insight into the attacks and defenses relevant to the technology.
For example, if I am hiring a network security engineer, I would expect the candidate to explain what DNS is, how it works at a high level, and what protocol it uses (UDP. Only say TCP if you can qualify when specifically it will be used).
6. Develop Your Soft Skills
Communicating well is one of the most important skills any cybersecurity professional can have. Most organizations have a limited team size for cybersecurity, and as such you may be expected to speak to senior leadership that may not have your technical background.
One element I look for in any résumé is whether the candidate has listed public speaking engagements, such as presenting a topic at a conference. I expect any team member to be able to speak with employees and break down complex cybersecurity topics into easily digested, actionable information.
These skills are really hard to put down on paper. However, I expect any candidate to be (eventually) able to lead cybersecurity initiatives and projects.
Come to the interview prepared to discuss any project - whether from your career or a side project or activity (for example, coaching, tutoring, and so on) - where you had to take initiative, and what you learned from the experience.
Being organized is a key skill for a successful candidate to possess. No matter how good your technical skills, if you struggle meeting deadlines, or being able to multi-task (cybersecurity runs at a rapid pace - it is very difficult to have uninterrupted time focusing on one task), it will be difficult to land that job, especially on a small team.
7. Demonstrate Practical Experience
You don't need to have formal professional experience to apply for a cybersecurity job. However, you can give yourself a leg up over the competition by demonstrating projects and skills you have learned that are relevant to cybersecurity.
If you have a GitHub link to a project you worked on, or you decided to test out building a Kubernetes cluster on several Raspberry Pis, add that to your résumé!
8. Keep your Résumé Relevant
All too often I receive résumés that take up space listing out completed college courses related to cybersecurity when the candidate has been in the field for 5+ years.
Make sure that your résumé only lists relevant information - while it may not need to be relevant to cybersecurity (diversity of experience is always nice to see), college classes and a GPA really aren't relevant unless you are applying for your first job out of college.
While I am not of the opinion that a résumé must, no matter what, be only one page, the content should not feel fluffy. I rarely see a need for a résumé to be more than one page unless you have spent years in the field in various roles.
9. Be Professional
Cybersecurity in general tends to be a relatively informal industry (even more so in the age of digital interviews). However, first impressions are extremely important, so make sure to dress and act professionally during your interview (and ideally if you get hired too!).
I have seen candidates interview in stained undershirts, inappropriate graphic tees, and other unprofessional attire. This is your chance to make an impression, and while I wouldn't say you need to dress in a suit and tie, at a minimum you should dress in business casual clothing, similar to what you would wear if you had to come in to an office.
In addition to what you wear, how you speak is extremely important. We have all had bad managers in the past, or worked for terrible companies. However, don't spend your interview badmouthing previous employers or companies.
If you're asked about why you are leaving, or what issues you had with a job, it is better to just say the job "wasn't a good fit" and leave it at that. You don't want the interviewer assuming this is how you would talk about them.
How a candidate conducts themselves, and how diplomatic they are, is extremely important. Given how small many cybersecurity teams are, you can find yourself speaking with senior leadership, and the interviewer will be on the lookout for how you they believe you would conduct yourself in those situations.
Last, and this should go without saying, is always be polite. Whether to the HR recruiter, external recruiter, interviewer, or receptionist - always be polite. People do not want to hire and work with someone they feel is rude or disrespectful.
10. The STAR Method
Cybersecurity is a high stakes, fast paced field where critical and analytical thinking, ego (yours and others) management, conflict resolution, and leadership play a key role in the team's success.
Interviewers typically look for someone who has a hacker mindset - someone who is innovative, and can think critically to solve problems.
Come prepared to discuss situations where you have had to deal with conflicting priorities, solve complex problems, explain technical information to a non-technical audience, and even discuss areas where you see opportunity for growth in your performance.
While I won't go into various scenarios in this post, one key outcome I look for is whether the candidate understands how to frame cybersecurity risk.
There are times risks need to be taken, and it is our job to provide the right information so that the decisions made are informed. How well a candidate can analyze a problem is worth more than the experience written down on the résumé.
Especially when responding to behavioral interview questions, the STAR method provides a good framework of how to provide answers:
- Describe the situation you were in.
- What task were you performing, and what was the desired goal?
- Describe the action(s) you took to address the situation. Be specific and focus on your contributions.
- What was the result of your actions?
The jobs available in cybersecurity are many, covering numerous specializations that range from technical, hands on keyboard roles to governance and design roles. Use these tips to land your perfect job, and welcome to cybersecurity!